WannaCry: A Massive Ransomware Outbreak

WannaCry: What do you need to know?

Following the release of NSA hacking dumps by Shadow Brokers, blackhat hacker groups used 2017’s most famous Microsoft Windows exploit created by NSA's “ETERNALBLUE” which takes advantage of a vulnerability in Windows SMB protocol. The hacker group behind WannaCry ransomware launched the largest cyber attack in years infecting more than 200,000 computers across the globe. The attack soon invaded the news creating a wave of cyber panic across Microsoft Windows users.

Note: If you want to skip the details and jump directly to the steps needed to block the attack then go to "Preventive Measures" section.

Surface of Infection

The ransomware is known to be using NSA’s SMB vulnerability in Microsoft Windows operating system which was patched on March 14, 2017 - two months before WannaCry attack and one month before the release of ETERNALBLUE. The attack vector was initiated mainly through massive spear phishing campaigns to trick the user to open a malicious URL or attached document that executes a dropper that download the ransomware.

In order to protect your organization or systems from infection through this attack surface, you must have a strong and properly configured email filtering gateway with URL and attachment inspection. These features will help identify malicious emails used in the attack campaign and reduce your risk of infection.

Data Consult advises its clients to use an industry leading Proxy device to protect its systems and users from accessing malicious URLs and domains such as ProxySG provided by BlueCoat.

Preventive Measures

A Kill-Switch to stop the worm from spreading

Kill-Switch is a technical term to name a mechanism that stops or ceases a functionality or behavior. The first two - and most spread - variants of WannaCry had simple Kill-Switches that would stop the attack process and stop the SMB worm that the ransomware deploys from spreading into other systems. You can protect your systems from most of the attack variants by configuring a DNS Sinkhole on the domains of WannaCry on your DNS Server/Provider, Proxy or URL filtering device.

Note: Do not deny the below domains as some WannaCry variants will continue the process of spreading in the network if the DNS queries did not return a response, regardless if the response was valid or not.

Data Consult provides its customer with state of the art solutions to configure DNS Sinkholing and detect infected hosts and systems inside the enterprise network. Both Cisco Umbrella for DNS protection and Palo Alto Networks Anti-Spyware provide this feature with comprehensive reporting on infected systems.

Disable SMBv1

Additionally, you can manually disable the vulnerability in the SMB protocol by following few and simple steps as described below:

Open Control Panel

Navigate to Programs and Features

Select Turn Windows features on or off from the left pane

Disable SMB 1.0 / CIFS File Sharing Support

Data Consult works with various vendors to provide the clients with comprehensive solutions and advise them to use the most effective products to protect their organization from such attacks.

Using a Next Generation Firewalls that include Intrusion Prevention System (IPS), Application Whitelisting, URL filtering, AMP provided by Cisco and Palo Alto Networks can stop the infection at the early stages, by ceasing the communication to the malicious domains and URLs, as well as inspecting traffic for the SMB exploit.

Recommendation

Apply Microsoft Security update MS17-010 on all your systems

Apply Cisco IPS Signatures Rule ID: 42329-42332, 42340, 41978

Apply Palo Alto Networks Rule ID: 38353, 38590, 38591, 39002, 39003

Make sure you have regular backups available of all business critical systems and data

Disable SMBv1 and block all versions of SMB at the network perimeter by blocking TCP port 139 and TCP 445 on all edge devices